Agencies otherwise will move to the FDCC standard when they plan to update their computers, she said. OMB published three memos this year on plans for the standard configuration.

The Security Content Automation Program (SCAP) is automated software that can help agencies implement the standard configuration by monitoring adherence to the configuration by applications and system vulnerabilities.

Not all agencies support a standard configuration. Some people are concerned, however, that OMB and the National Institute of Standards and Technology have been so transparent in publishing documents for the FDCC standard and SCAP that hackers could exploit vulnerabilities, she said.

'It is possible that we could be vulnerable, but right now, I would have to say that we can't be more vulnerable than where we are today,' Evans said today at a security conference sponsored by NIST. 'We have utter chaos going on. We're losing information. We don't know what's coming and going. We're losing laptops that people didn't even know we had.'

Agencies that want to deviate from the configuration must apply for a waiver and document why their operations require it. NIST will track these changes to determine if there is a pattern that reflects a problem with settings in the standard configuration, Evans said.

'We did err on the high side of these settings so there would be more security,' she said.

OMB also requires that vendors incorporate SCAP to ensure that their software and hardware products operate as intended on the federal secure configuration, and agencies must verify that the companies have satisfied that requirement. Vendor products must not alter the standard configuration.

NIST, for example, has worked with Microsoft to develop a secure configuration for its operating systems that opens in a window over the desktop in a virtual machine image, said Matthew Barrett, co-lead of NIST's Information Security Automation Program.

Because it is automated, SCAP will let agencies stay on top of vulnerabilities better than manual methods, said Alan Paller, research director at the SANS Institute. Senior managers also can get full visibility into the security status of systems and networks.